Privacy Policy

Luminor Group Privacy Policy, effective as of 2nd January 2019

Luminor Group (further also “we”, “our” or “us”) is committed to protecting the privacy of all individuals when processing Personal Data. Processing Personal Data by Luminor is subject to the EU General Data Protection Regulation (GDPR) and applicable national laws. This Privacy Policy describes on a general level how we collect, share, and protect Personal Data. Further details on the processing of your Personal Data are described in agreements and other Service-related documents, including our Data Retention Policy.

Definitions:

Controller

The Controller of your Personal Data is the Luminor Group entity to which you have submitted your Personal Data because of a contractual or pre-contractual relationship or which Services you (or the legal entity or arrangement you are considered to be the ultimate beneficiary owner of) intend to use.

Customer

A natural person who uses, has used or has expressed the intent to use a Service.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Any information directly or indirectly related to an identified or identifiable Customer or other natural person whose data is processed according to this Privacy Policy and applicable laws (for example, an ultimate beneficiary owner of the customer as a legal entity).

I. General information

When does this Privacy Policy apply?

This Privacy Policy applies when you use, have used or have expressed an intention or interest to use Luminor’s services. It also applies when you are related to any of the Services indirectly (for example, as a collateral provider, an insured person in an insurance agreement or a representative of corporate or private customers, direct underlying or ultimate beneficial owner, shareholder, signatory, contractual counterparty, other person who has or had business relationships with Luminor). It also applies in cases when the relationship has been established before this Privacy Policy has entered into force, and when you have provided and/or Luminor has obtained your Personal Data.

Which of my Personal Data are processed?

The exact scope of Personal Data being processed depends on the types of Services or relationship with Luminor. Luminor’s core activities involve providing financial and insurance products and Services. This includes accounts and payment services, loans and leasing, electronic banking services, savings and investment products and services, including pension funds as well as insurance. Luminor also offers selected real estate-related financial services. We process your Personal Data to provide and improve these Services. Additionally, Luminor processes the Personal Data of its corporate, private customers’ and vendors’ representatives. Personal Data we collect and process includes:

special category data such as data about criminal convictions, legal capacity (in special cases);

other data:

data about the participation in companies and other types of legal entities, data about managers and other persons having decisive votes or representatives of the companies using or intending to use Services, as well as their ultimate beneficiary owners’ information and contact details of the representatives of the companies using or intending to use Services;

information on social security contributions and insurance, information on payable pension/ allowance/ indemnification;

legal proceedings (type);

correspondence records (type, date, tracking ID);

risk profiling and classification (risk type, risk class);

video surveillance data such as video records captured at ATMs and Customer service units;

voice records data such as voice records of phone or Skype or other Internet based calls;

data concerning the applicability of any sanctions, including data regarding any relevant business dealing or activities, including any adverse media coverage that is available.

We do not process sensitive data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using Services (e.g. in payments details).

We only collect data about children if they use a Luminor Service or if you provide us with information about your own children in relation to a Service you use.

How does Luminor collect my Personal Data?

Generally, Luminor receives Personal Data directly from the person to whom the data relates to. For example, when you:

apply for Services (for example, open an account or apply for a loan or leasing);

use Services (for example, use your credit or debit card or deposit money);

make contributions to Luminor pension funds;

contact Luminor (for example, visit our website or internet bank, contact us via phone or other means of distance communication), fill in a form on our websites or leave your contact information with Luminor for whatever reason;

visit our websites, use our internet bank or phone app.

In some instances, Luminor obtains Personal Data from persons other than the data subject (e.g. you). This is the case, for instance, when a parent applies for a service that involves a child, or when legal entities apply for services that involve their employees or when one spouse provides Personal Data about another, or when according applicable laws information related to financial obligations and incomes of a household has to be obtained and evaluated. In such instances, we require that such data subjects are informed about the disclosure of their Personal Data to Luminor and the purpose of such Personal Data Processing. Furthermore, in such instances we require that when you are providing Personal Data about a data subject other than yourself you introduce such data subjects to our Privacy Policy.

Personal Data can also be provided to Luminor by third parties on the request of a potential customer. For example, real estate brokers or car dealers may send your Personal Data to Luminor if so requested by you.

Personal data can also be received by Luminor when we are signing various agreements where a counterparty or a representative of a counterparty is not necessarily a Customer (e.g. mortgage agreement, warranty agreement, agreement concluded with a legal entity, where contact persons or representatives’ data are indicated).

Within the Luminor Group, all Luminor entities have access to Personal Data disclosed to Luminor insofar as such access is necessary for administrative purposes or covered by Luminor’s legitimate interests.

When we have a legitimate interest (which entails the mitigation of our risks depending on the type of service you procure from us, risk assessment activities, etc.) we also collect your Personal Data from other external sources, such as credit bureaus, public and private registers or other companies or state institutions, including information from databases of third-party service providers and publicly available sources, such as media sources, search engines which may include automated data processing means or artificial intelligence solutions.

Does Luminor use cookies?

Yes, Luminor uses cookies, which are small text files placed on your computer, smartphone or other device in order to improve the website functionality and facilitate better user experience. Luminor’s Cookie Policy is available here.

What does it mean when Luminor refers to other Controller and it’s Privacy Policies?

Where Luminor transfers your Personal Data to another controller either because of a nature of Service (e.g. information on payment is transferred to receiver’s payment institution; information about holder of a financial instrument is transferred to central securities depository or custodian of financial instruments, etc.), due to requirements of applicable laws or when Luminor has other legal ground for such transfer, for further processing privacy policies of such other Controllers may apply. Our agreements with such Controllers may require us to provide a link to their privacy policies or similar documents.

II. Why does Luminor collect and process my Personal Data?

Providing Services

The first and foremost reason why we need your Personal Data is for providing our Services. Any data processing for the fulfilment of the purposes indicated herein is foremost conducted for the conclusion, fulfilment, and ensuring the fulfilment, of any agreements under which our Services are provided.

There will be Personal Data which we will always need without regard to what Service you choose, such as your identification information or contact information, preferences of communication language, etc. But some Services, because of their nature, will require more information. For example, in the case of any type of loan or leasing, we will need information about your income and household as well as information about other liabilities. If you are applying for or have a mortgage loan, we also will need information about property, including information about its insurance. We also need specific data if you would like to apply for or are using investment products. In such cases, for example, we need to know and evaluate your overall investment experience and knowledge about these products and services to offer you suitable products and services or advise you to reconsider, when we think your choice might be too risky taking into account your personal circumstances.

Financial services are related to various risks, and we are obliged to manage those risks to ensure the sustainability of our business model and protect the interest of depositors and society in general.

This means we monitor issued loans and the performance of those loans, and learn from our history (previously issued loan history) in order to improve our credit assessment process. In addition, we may also obtain updated information from credit registers and similar public external sources.

Fulfilling requirements set in laws and regulations

Banking is a highly regulated industry, which means that in order to provide Services to you, we need to comply with many regulations. Therefore, we need to collect explicit identification information, but in certain cases, we need to collect additional personal information. For example, to follow all anti-money-laundering requirements, we need to know information about your source(s) of income, whether you are a politically exposed person or related to one and your tax residency country. Most of that information we collect from you in the so-called Know Your Customer questionnaires. We are obliged to obtain Personal Data about you even if you are not directly our customer but the ultimate beneficiary or the owner of the corporate entity (e.g. company) which is our customer. Moreover, we are required to monitor your transactions and investigate if their pattern deviates from information provided by you earlier and, if needed, ask for additional information (e.g. agreement or other document proving source of unexpected income).

Depending on the changes in the regulatory framework under which we operate, we may need to process your Personal Data for the fulfilment of new requirements set place in laws and regulation. For example, we also need to process your Personal Data in order to make sure that we fulfil all the requirements deriving from applicable sanction-related regulations, e.g. verify that you are not a sanctioned person, that your business operation do not involve sanctioned persons, that you are not under the investigation of any relevant authorities, etc. Persons who are identified as higher-risk clients, might be subject to enhanced Know Your Customer measures and additional Personal Data might be asked from them or acquired about them.

We must also report to public authorities, like the state revenue service, social security institutions, central banks or other financial sector supervisory authorities. Exact scope of reported Personal Data will depend on which law(s) or regulatory requirements we are fulfilling. If you have deposits (including funds in current account(s)) or investment products, we may be obliged to report to the tax authorities about account balance(s) and interests paid; in the case of a loan, we will be obliged to report data about your loan (e.g. financial obligation(s)).

Most of the data we will receive from you, but we will also use third party registers or other sources.

Improving services and being relevant to you

We want to offer Services and provide information which are relevant to you. We improve our Services constantly, and thus customer data and input is very important. We also want you to know about our new or improved Services. We analyse our Customers’ data to develop and offer additional Services, perform Customer surveys, conduct market analysis and compile statistics, and organize games or campaigns to improve your experience while using our Services.

The foregoing processing activities are mainly conducted to be compliant with relevant laws and regulations and for exercising our legitimate interest, which mainly include reducing any risks to our systems and identifying any discrepancies in databases. Based on the relevant need, all the applicable security measures are tested and renewed from time to time.

Ensuring the continuous business activities of Luminor

We may process, and respectively share your Personal Data for the said processing purposes with third persons, in order to be able to continuously provide the Services, currently and in the future, and further develop and enhance such Services, for example, for being able to raise funds, rate our business operations, guarantee our obligations, complying with requirements to which our shareholders are subject, etc. The foregoing processing activities are based on our legitimate interests, which are entailed in the processing purposes described previously.

Business transfer

We may process your Personal Data for the purposes of transactions related to the transfer of Luminor’s business or shares to the extent which is necessary for the pre-contractual engagements and conclusion or ensuring the conclusion of the relevant transactions. The foregoing processing is based on our legitimate interests which consist mainly of our need to ensure the consistency of our business and the continues provision of our Services.

III. Advertising and direct marketing

Our advertising and direct marketing communications (e.g. about our Services and related campaigns) are sent to Customers who have consented to receiving direct marketing and advertising offers from Luminor. Such Customers receive Luminor newsletters and direct marketing communications via their preferred means of communication. Luminor may market its Services to the existing Customers on the ground of legitimate interest.

How do I give a consent to receive advertising and direct marketing?

Customers can give consent to receive advertising and direct marketing communications by signing a direct marketing consent form or by requesting direct marketing communications under the agreements they conclude with us. Customers who have already been receiving our direct marketing messages will continue to receive such communications after the GDPR’s entry into force.

What kind of advertising and direct marketing activities does Luminor perform?

Luminor sends newsletters and direct marketing communications. Services and products may be also promoted during various customer events organised by Luminor.

Can I object to the use of my Personal Data for direct marketing purposes?

Customers have the right to object to the processing of their Personal Data for direct marketing purposes at any time and free of charge. To exercise this right, please contact the Luminor entity whose marketing material you no longer wish to receive. Customers can also opt out of receiving the newsletter or any other advertising and marketing communications using the link provided in the e-mail message or following other instructions as provided in such direct marketing communication.

IV. Sharing and protection of my Personal Data

Who can access my Personal Data?

Only persons entitled to do so within Luminor or third parties engaged by Luminor or with whom Luminor cooperates in provision of Services (e.g. insurance companies where insurance policies are offered through Luminor, insurance brokers where they help you to insure property as required under agreement with Luminor, car dealers and/or car manufacturers where Luminor provides leasing Services, etc.) or other parties as requested or permitted by law can access your Personal Data. In cases where Personal Data Processing is carried out on behalf of Luminor by a third party, Luminor engages only third parties providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that Processing will meet the requirements of the GDPR and applicable laws and ensure the protection of your rights.

Processing activities by third-party processors shall always be governed by a Privacy & Data Processing Agreement or other specific terms agreed upon by Luminor and such third party processor.
The nature of Services provided requires us to share Customers' Personal Data to run our everyday business – to process transactions, maintain customer accounts, and report to public institutions.

With whom may my Personal Data be shared?

We may disclose your Personal Data to:

Luminor shareholders (direct or indirect), in case the sharing is required by the regulatory enactments governing the activities of the shareholders or where the foregoing disclosure is based on the legitimate interests of the shareholders which includes the need to ensure that Luminor complies with the regulatory requirements to which its shareholders are subject;

Luminor group entities (for administrative and marketing purposes);

Luminor cooperation partners, with whom Luminor offers co-branded products and Services (for providing such Services and products as well as for marketing and advertising such products);

state institutions and other entities performing functions delegated to them by law;

authorized auditors, legal and financial advisers;

Personal Data processors and their sub-processors engaged by Luminor who process your Personal Data on behalf of Luminor, e.g. to assist Luminor in providing Services, fulfilling its obligations deriving from applicable laws and regulation, improving its systems, etc.;

any entity who is involved in the provision of Services to you, including entities involved for the fulfilment of your transactions (for example, correspondent banks, financial institutions, insurance companies, financial intermediaries, brokers, participants of, or parties to, payment, clearing or settlement systems, exchanges and other);

any entity who provides or intends to provide financing to Luminor, is involved in the provision of any type of financing (including by way of loan, public offering, issuing of any type of financial instruments, securities, notes, bonds), including entities arranging, structuring, organising, guaranteeing such financing or providing supporting services in connection with any of the aforementioned and their advisors. The foregoing disclosure is based on the legitimate interests of Luminor, and the financers, having the purpose ofensuring the consistency of our business and the continued provision of our Services, including the necessary financing for offering our Services;

any rating agency for the purpose of acquiring rating to Luminor or any financial instruments issued by Luminor. The foregoing disclosure is based on the legitimate interests of Luminor having the purpose of ensuring the consistency of our business and the continued provision of our Services, including the necessary financing for offering our Services;

debt collection companies, credit bureaus and other third parties to which Luminor may assign, pledge or transfer its rights and obligations;

a third party to the extent necessary for Luminor in order to protect or enforce its rights and legitimate interests, in particular upon breach of any obligations by the Customer, unless provided otherwise in the applicable law;

any person to whom the disclosure of Personal Data is required or allowed under the legislation applicable to Luminor or the activities of Luminor.

Data may also be transferred outside the European Union and European Economic Area (EU/EEA) in some cases, for example, when the Personal Data processor engaged by Luminor is located outside the EU/EEA and such data transfer is necessary to provide Service or when requested by a Customer. Data may be transferred outside the EU/EEA only when Luminor ensures appropriate safeguard measures as required by the GDPR and there is a legal ground for such transfer.

The list of our Personal Data processors is available here. This list can be changed without separate notice.

How does Luminor protect my Personal Data?

To protect your Personal Data from unauthorized access, unlawful Processing or disclosure, accidental loss, modification or destruction, we use appropriate measures that comply with applicable laws. These measures include technical measures, such as the selection and configuration of appropriate computer systems, securing relevant connections, and protection of data and files, as well as organizational measures, such as limiting access to these systems, files and facilities, careful selection and monitoring of hosting service providers.

V. Your rights in relation to Personal Data processing

What are my rights?

Luminor is dedicated to ensuring that Personal Data Processing is fair and transparent and all persons’ rights arising under applicable laws are always ensured. In particular, you have:

the right to access the Personal Data Luminor processes about you. Upon your request, Luminor shall:

confirm as to whether or not Personal Data relating to you are being processed and provide information as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;

communicate to you about the Personal Data undergoing Processing and about any available information as to their source;

provide to you knowledge of the logic involved in any automated processing of Personal Data concerning you in the case of automated decisions.

the right to request us to rectify any inaccurate Personal Data;

when Processing of Personal Data is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;

the right to receive the Personal Data Processed in a structured, commonly used and machine-readable format and the right to transmit the Personal Data to another controller under certain conditions;

under certain circumstances, you shall have the right to request erasure or restriction of Processing of the Personal Data;

the right to object to the Processing of the Personal Data for specific purposes and under certain conditions;

VI. How long Luminor retains Personal Data

How long is my Personal Data retained by Luminor?

Personal data is retained in accordance with the applicable laws and no longer than is necessary. Personal data retention periods are determined by Luminor and depend on the specific contract and basis of Personal Data Processing. For more detailed information on some retention periods and the principles for how we determine specific retention periods for your Personal Data processed by us, please follow this link.

VII. Profiling and automated decision making

What is profiling and automated decision making?

Profiling is Customer segmentation by evaluating the personal aspects relating to a natural person in order to apply a relevant service model or tailored marketing offers or perform risk assessment for anti-money laundering purposes.

Automated decision making is a form of decision making under which a certain decision regarding a person is made using automated means.

What does Luminor use profiling and automated decision making for?

Luminor uses profiling to prepare analyses for Customer advice, for direct marketing purposes, profiling supports automated decision-making such as credit assessments, for risk management and for transaction monitoring to counter fraud, including automated collection of data from databases and making preliminary assessments and conclusions whether you are eligible for our Services taking into account the relevant laws and regulations that apply to us and our internal procedures. Luminor uses profiling based on the following legal grounds:

consent from the Customer or in some limited cases also on the ground of legitimate interest. Luminor may use profiling to evaluate the Customer’s need, develop its Services, and provide more relevant and just-in-time Service offers. The legitimate interests for implementing the automated decision making means are as follows: automated decision-making processes are implemented for a smooth servicing process and for ensuring that we are able to comply with our legal obligations, taking into account the vast amount (in quality and quantity) of data to be processed for ensuring the timely and full compliance with our obligations deriving from applicable legislative acts and laws.

Do I have a right to choose if I want to be subject to a decision based on automated processing, including profiling?

Luminor may make a decision with respect to the Customer, including but not limited to making an assessment about the creditworthiness of the Customer based solely on automated processing of the Personal Data.

In such a case, the Customer has a right not to be subject to a decision based solely on automated processing, including profiling. Such right may be executed by the Customer if, based on the automated decision, Luminor has refused to enter into the contract or provide Services. Upon your request solely automated decision will be revised by Luminor employees.

More detailed descriptions of processes which include automated decision making can be found here.

VIII. Final provisions

Legal statement and validity

This Privacy Policy is not designed to form a legally binding contract between Luminor and the Customer – instead, it is a guide on our Personal Data protection standards. As we are constantly working on improving and developing our Services and websites we may change this Privacy Policy from time to time. We will not reduce your rights as a result of such changes. In the case of material changes and where we think it is relevant, we shall notify you via Luminor’s website, by post, via e-mail or internet bank messages or in another manner as chosen by us, not later than 1 (one) month prior to such amendments entering into force. The Privacy Policy shall also be available on request at customer service units.

Any questions?

If you have any questions or concerns regarding how Luminor processes Personal Data about you, or if you wish to exercise any of your rights, Luminor encourages you to contact us via telephone or e-mail or in writing to contact page.